Snort Alert Update Failure


  • Morning,

    Come in this morning to find all our PFsense & Snort installs have failed to update the rules overnight:

    	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    	Snort GPLv2 Community Rules md5 download failed.
    	Server returned error code 404.
    	Server error message was: 404 Not Found
    	Snort GPLv2 Community Rules will not be updated.
    

    Just trying to dig out the URL at the moment. Presumably this needs to be reported to some people somewhere.


  • @robemery said in Snort Alert Update Failure:

    needs to be reported

    Yep.
    This is the "address" :

    @robemery said in Snort Alert Update Failure:

    the URL

    edit : but don't worry : web servers are maintained by admins.
    Ones in a while, a script fails, a file isn't created and this can't be found.
    Like the md5 file now.
    They will see their web server log file exploding with "request misses" and repair that very soon.


  • @Gertjan is correct. The Snort rules team at Talos/Cisco will get it resolved.

    The URL used by the Snort package is the same as the one posted on the Snort.org web site. There also appears to be an issue there this morning as well, so something seems amiss on their side with the Community Rules.

    The actual rules are hosted on Amazon Web Services infrastructure. The URLs posted on the Snort.org site and used by the package get redirected to AWS IP space.


  • Just wanted to jump in and say this is an issue I've had for about two weeks now as well, instead of a 404 error, I'm getting a 302.

    Does anyone know of a possible timeframe for a fix?


  • @idontknowmeiguess said in Snort Alert Update Failure:

    Just wanted to jump in and say this is an issue I've had for about two weeks now as well, instead of a 404 error, I'm getting a 302.

    Does anyone know of a possible timeframe for a fix?

    The rules download works for me and now so does the link on the Snort.org site. Do you have any other type of packages running? Especially something like Squid or Squidguard? Those can have issues with the way the Snort rules URLs internally redirect.

    If you paste https://www.snort.org/downloads/community/community-rules.tar.gz in your web browser, does it work? This URL will get redirected by the Snort web server to https://snort.org/downloads/community/community-rules.tar.gz.

    The actual URL used within the Snort GUI package is https://www.snort.org/downloads/community/community-rules.tar.gz. If that does not work for you from a browser on the same LAN/WAN as your firewall, then the issue is something on your end blocking. I've just tested this four times on my end and it works fine. I'm in the USA if that matters. Perhaps, if you are in another part of the world, there is something else going on preventing you from accessing the AWS infrastructure where Snort hosts the rules file.


  • @bmeeks Well, I can download them on my computer that's behind my pfSense box, but Snort (on pfSense) still won't download. Time to investigate. Thanks for the heads up, not sure why I didn't think about that, but that's life!


  • Just to be 100% sure the Snort GUI code had no issues, I fired up a pfSense-2.4.5_p1 virtual machine I use for testing and had it update Snort rules. The last time that VM had been powered up was back in September this year. It just updated all the rules I have configured on that test box. The update log is below:

    Starting rules update...  Time: 2020-12-13 23:08:23
    	Downloading Snort Subscriber rules md5 file snortrules-snapshot-29161.tar.gz.md5...
    	Checking Snort Subscriber rules md5 file...
    	There is a new set of Snort Subscriber rules posted.
    	Downloading file 'snortrules-snapshot-29161.tar.gz'...
    	Done downloading rules file.
    	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    	Checking Snort OpenAppID detectors md5 file...
    	There is a new set of Snort OpenAppID detectors posted.
    	Downloading file 'snort-openappid.tar.gz'...
    	Done downloading rules file.
    	Downloading Snort AppID Open Text Rules md5 file appid_rules.tar.gz.md5...
    	Checking Snort AppID Open Text Rules md5 file...
    	There is a new set of Snort AppID Open Text Rules posted.
    	Downloading file 'appid_rules.tar.gz'...
    	Done downloading rules file.
    	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    	Checking Snort GPLv2 Community Rules md5 file...
    	There is a new set of Snort GPLv2 Community Rules posted.
    	Downloading file 'community-rules.tar.gz'...
    	Done downloading rules file.
    	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    	Checking Emerging Threats Open rules md5 file...
    	There is a new set of Emerging Threats Open rules posted.
    	Downloading file 'emerging.rules.tar.gz'...
    	Done downloading rules file.
    	Extracting and installing Snort Subscriber Ruleset...
    	Using Snort Subscriber precompiled SO rules for FreeBSD-11 ...
    	Installation of Snort Subscriber rules completed.
    	Extracting and installing Snort OpenAppID detectors...
    	Installation of Snort OpenAppID detectors completed.
    	Extracting and installing Snort AppID Open Text Rules...
    	Installation of Snort AppID Open Text Rules completed.
    	Extracting and installing Snort GPLv2 Community Rules...
    	Installation of Snort GPLv2 Community Rules completed.
    	Extracting and installing Emerging Threats Open rules...
    	Installation of Emerging Threats Open rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: WAN ...
    	Updating rules configuration for: OPT1 ...
    	Updating rules configuration for: OPT2 ...
    	Updating rules configuration for: LAN ...
    	Restarting Snort to activate the new set of rules...
    	Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2020-12-13 23:09:49
    

    As you can see in the log file, it updated the Snort GPL rules.


  • @bmeeks hmm, this is pushing me more towards thinking I need to do a fresh install. Thanks for trying that!